Description of the false positive
When there is a workflow that is triggered by a pull_request, this check considers the called workflow to be privileged even though it is not.
Code samples or links to source code
Triggered Workflow: https://raw.githubusercontent.com/llvm/llvm-project/refs/heads/main/.github/workflows/release-binaries-all.yml
Called Workflow: https://raw.githubusercontent.com/llvm/llvm-project/refs/heads/main/.github/workflows/release-binaries.yml
URL to the alert on GitHub code scanning (optional)
https://github.com/llvm/llvm-project/security/code-scanning/1828
Description of the false positive
When there is a workflow that is triggered by a pull_request, this check considers the called workflow to be privileged even though it is not.
Code samples or links to source code
Triggered Workflow: https://raw.githubusercontent.com/llvm/llvm-project/refs/heads/main/.github/workflows/release-binaries-all.yml
Called Workflow: https://raw.githubusercontent.com/llvm/llvm-project/refs/heads/main/.github/workflows/release-binaries.yml
URL to the alert on GitHub code scanning (optional)
https://github.com/llvm/llvm-project/security/code-scanning/1828